The US-based art dealer company “Sotheby’s” had its website compromised by the financially-motivated threat group, “Magecart,” since at least March 2017, according to a statement released by the company to its customers. Sotheby’s confirmed that its website was compromised and infected with card-skimming malware that stole data that was entered in the company’s checkout page. Sotheby’s stated that it “became aware” of the incident on October 10, 2018. The stolen data, which affects an undetermined amount of customers, consisted of the following: addresses, email addresses, and payment card numbers. The company also said that card expiration dates and CVV codes may have also been stolen during the time the website was compromised. Since its discovery, Sotheby has removed the malware from their checkout page and has reportedly implemented additional security measures on their site.

Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.